一、概述

Traefik 是一个开源的可以使服务发布变得轻松有趣的边缘路由器。它负责接收你系统的请求,然后使用合适的组件来对这些请求进行处理。

除了众多的功能之外,Traefik 的与众不同之处还在于它会自动发现适合你服务的配置。当 Traefik 在检查你的服务时,会找到服务的相关信息并找到合适的服务来满足对应的请求。

Traefik 兼容所有主流的集群技术,比如 Kubernetes,Docker,Docker Swarm,AWS,Mesos,Marathon,等等;并且可以同时处理多种方式。(甚至可以用于在裸机上运行的比较旧的软件。)

有了Traefik,就不需要维护和同步一个单独的配置文件:一切都会自动、实时地发生(没有重新启动,没有连接中断)。使用Traefik,您可以花时间在系统中开发和部署新特性,而不是配置和维护其工作状态。

二、概念

Edge Router

Traefik 是一个边缘路由器,是你整个平台的大门,拦截并路由每个传入的请求:它知道所有的逻辑和规则,这些规则确定哪些服务处理哪些请求;传统的反向代理需要一个配置文件,其中包含路由到你服务的所有可能路由,而 Traefik 会实时检测服务并自动更新路由规则,可以自动服务发现。

Auto Service Discovery

传统的边缘路由器(或反向代理)需要一个包含到服务的每个可能路由的配置文件,Traefik从服务本身获取它们。

在部署您的服务时,您需要附加一些信息,告诉Traefik服务可以处理的请求的特征。

这意味着在部署服务时,Traefik会立即检测到它并实时更新路由规则。反之亦然:当您从基础设施中删除服务时,路由将相应地消失。

您不再需要创建和同步混杂着IP地址或其他规则的配置文件。

核心概念

  • Providers 用来自动发现平台上的服务,可以是编排工具、容器引擎或者 key-value 存储等,比如 Docker、Kubernetes、File
  • Entrypoints 监听传入的流量(端口等…),是网络入口点,它们定义了接收请求的端口(HTTP 或者 TCP)。
  • Routers 分析请求(host, path, headers, SSL, …),负责将传入请求连接到可以处理这些请求的服务上去。
  • Services 将请求转发给你的应用(load balancing, …),负责配置如何获取最终将处理传入请求的实际服务。
  • Middlewares 中间件,用来修改请求或者根据请求来做出一些判断(authentication, rate limiting, headers, …),中间件被附件到路由上,是一种在请求发送到你的服务之前(或者在服务的响应发送到客户端之前)调整请求的一种方法。

三、安装

由于 Traefik 2.X 版本和之前的 1.X 版本不兼容,而且1.X 已经停止更新了。这里选择功能更加强大的 2.X 版本来和大家进行讲解,使用的镜像是 traefik:2.3.7。

创建 traefik-crd.yaml 文件

在 traefik v2.1 版本后,开始使用 CRD(Custom Resource Definition)来完成路由配置等,所以需要提前创建 CRD 资源。

## IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
---
## IngressRouteTCP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
---
## Middleware
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
---
## TraefikService
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: traefikservices.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TraefikService
plural: traefikservices
singular: traefikservice
---
## TraefikTLSStore
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsstores.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSStore
plural: tlsstores
singular: tlsstore
---
## IngressRouteUDP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressrouteudps.traefik.containo.us
spec:
scope: Namespaced
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteUDP
plural: ingressrouteudps
singular: ingressrouteudp
# 部署 CRD 资源
# kubectl create -f traefik-crd.yaml
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/traefikservices.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsstores.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressrouteudps.traefik.containo.us created

创建rbac权限

Kubernetes 在 1.6 以后的版本中引入了基于角色的访问控制(RBAC)策略,方便对 Kubernetes 资源和 API 进行细粒度控制。Traefik 需要一定的权限,所以这里提前创建好 Traefik ServiceAccount 并分配一定的权限。

# cat traefik-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
# 部署 Traefik RBAC 资源
# kubectl create -f traefik-rbac.yaml
serviceaccount/traefik-ingress-controller created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created

另一种写法:

apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups: [""]
resources: ["services","endpoints","secrets"]
verbs: ["get","list","watch"]
- apiGroups: ["extensions"]
resources: ["ingresses","networking.k8s.io"]
verbs: ["get","list","watch"]
- apiGroups: ["extensions"]
resources: ["ingresses/status"]
verbs: ["update"]
- apiGroups: ["traefik.containo.us"]
resources: ["middlewares"]
verbs: ["get","list","watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["ingressroutes","traefikservices"]
verbs: ["get","list","watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["ingressroutetcps","ingressrouteudps"]
verbs: ["get","list","watch"]
- apiGroups: ["traefik.containo.us"]
resources: ["tlsoptions","tlsstores"]
verbs: ["get","list","watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system

创建 Traefik 配置文件

在 Traefik 中的配置可以使用两种不同的方式:

  • 动态配置:完全动态的路由配置
  • 静态配置:启动配置

静态配置中的元素(这些元素不会经常更改)连接到 providers 并定义 Treafik 将要监听的 entrypoints。

在 Traefik 中有三种方式定义静态配置:在配置文件中、在命令行参数中、通过环境变量传递

动态配置包含定义系统如何处理请求的所有配置内容,这些配置是可以改变的,而且是无缝热更新的,没有任何请求中断或连接损耗。

由于 Traefik 配置很多,使用 CLI 定义操作过于繁琐,尽量使用将其配置选项放到配置文件中,然后存入 ConfigMap,将其挂入 traefik 中。

# cat traefik-config.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: traefik-config
namespace: kube-system
data:
traefik.yaml: |-
serversTransport:
insecureSkipVerify: true ## Traefik 忽略验证代理服务的 TLS 证书
api:
insecure: true ## 允许 HTTP 方式访问 API
dashboard: true ## 启用 Dashboard
debug: true ## 启用 Debug 调试模式
metrics:
prometheus: metrics ## 配置 Prometheus 监控指标数据,并使用默认配置
entryPoints:
web:
address: ":80" ## 配置 80 端口,并设置入口名称为 web
websecure:
address: ":443" ## 配置 443 端口,并设置入口名称为 websecure
traefik:
address: ":8090" ## 配置 8090 端口,并设置入口名称为 dashboard
metrics:
address: ":8082" ## 配置 8082 端口,作为metrics收集入口
tcpep:
address: ":8000" ## 配置 8000 端口,作为tcp入口
udpep:
address: ":9000/udp" ## 配置 9000 端口,作为udp入口
providers:
kubernetescrd: ## 启用 Kubernetes CRD 方式来配置路由规则
ingressclass: traefik-v2.3
kubernetesingress: ## 启动 Kubernetes Ingress 方式来配置路由规则
ingressclass: traefik-v2.3
log:
filePath: "/etc/traefik/logs/traefik.log" ## 设置调试日志文件存储路径,如果为空则输出到控制台
level: error ## 设置调试日志级别
format: json ## 设置调试日志格式
accessLog:
filePath: "/etc/traefik/logs/access.log" ## 设置访问日志文件存储路径,如果为空则输出到控制台
format: json ## 设置访问调试日志格式
bufferingSize: 0 ## 设置访问日志缓存行数
filters:
#statusCodes: ["200"] ## 设置只保留指定状态码范围内的访问日志
retryAttempts: true ## 设置代理访问重试失败时,保留访问日志
minDuration: 20 ## 设置保留请求时间超过指定持续时间的访问日志
fields: ## 设置访问日志中的字段是否保留(keep 保留、drop 不保留)
defaultMode: keep ## 设置默认保留访问日志字段
names: ## 针对访问日志特别字段特别配置保留模式
ClientUsername: drop
headers: ## 设置 Header 中字段是否保留
defaultMode: keep ## 设置默认保留 Header 中字段
names: ## 针对 Header 中特别字段特别配置保留模式
User-Agent: redact
Authorization: drop
Content-Type: keep
# 部署 Traefik ConfigMap 资源
# kubectl create -f traefik-config.yaml
configmap/traefik-config created

部署 Traefik

提前给节点设置Label,当程序部署Pod会自动调度到设置 Label的node节点上。

# kubectl label nodes develop-master-1 IngressProxy=traefik2.3
node/develop-master-1 labeled
# kubectl label nodes develop-worker-1 IngressProxy=traefik2.3
node/develop-worker-1 labeled
# kubectl label nodes develop-worker-2 IngressProxy=traefik2.3
node/develop-worker-2 labeled # 验证节点标签是否成功
# kubectl get node --show-labels
NAME STATUS ROLES AGE VERSION LABELS
develop-master-1 Ready control-plane,etcd,master,worker 98d v1.20.4 IngressProxy=traefik2.3,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=develop-master-1,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node-role.kubernetes.io/etcd=,node-role.kubernetes.io/master=,node-role.kubernetes.io/worker=
develop-worker-1 Ready worker 98d v1.20.4 IngressProxy=traefik2.3,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=develop-worker-1,kubernetes.io/os=linux,node-role.kubernetes.io/worker=
develop-worker-2 Ready worker 98d v1.20.4 IngressProxy=traefik2.3,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=develop-worker-2,kubernetes.io/os=linux,node-role.kubernetes.io/worker=,worker=worker2 # 节点删除Label标签
# kubectl label nodes develop-master-1 IngressProxy-
# kubectl label nodes develop-worker-1 IngressProxy-
# kubectl label nodes develop-worker-2 IngressProxy-
# cat traefik-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-v2
namespace: kube-system
labels:
app: traefik-v2
spec:
replicas: 2
selector:
matchLabels:
app: traefik-v2
template:
metadata:
labels:
app: traefik-v2
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 1
containers:
- name: traefik-v2
image: traefik:v2.3
args:
- --configfile=/config/traefik.yaml
ports:
- name: web
containerPort: 80
hostPort: 80 #hostPort方式,将端口暴露到集群节点
- name: websecure
containerPort: 443
hostPort: 443 #hostPort方式,将端口暴露到集群节点
- name: admin
containerPort: 8090
- name: tcpep
containerPort: 8000
- name: udpep
containerPort: 9000
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 300m
memory: 1024Mi
securityContext:
capabilities: ## 只开放网络权限
drop:
- ALL
add:
- NET_BIND_SERVICE
volumeMounts:
- mountPath: "/config"
name: "config"
- mountPath: /etc/traefik/logs
name: logdir
- mountPath: /etc/localtime
name: timezone
readOnly: true
volumes:
- name: config
configMap:
name: traefik-config
- name: logdir
hostPath:
path: /data/traefik/logs
type: "DirectoryOrCreate"
- name: timezone
hostPath:
path: /etc/localtime
type: File
tolerations:
- operator: "Exists" ## 设置容忍所有污点,防止节点被设置污点
hostNetwork: true ## 开启host网络,提高网络入口的网络性能
nodeSelector: ## 设置node筛选器,在特定label的节点上启动
IngressProxy: "traefik2.3"
---
apiVersion: v1
kind: Service
metadata:
name: traefik-v2
namespace: kube-system
spec:
type: LoadBalancer
selector:
app: traefik-v2
ports:
- protocol: TCP
port: 80
name: web
targetPort: 80
- protocol: TCP
port: 443
name: websecure
targetPort: 443
- protocol: TCP
port: 8090
name: admin
targetPort: 8090
- protocol: TCP
port: 8000
name: tcpep
targetPort: 8000
---
apiVersion: v1
kind: Service
metadata:
name: traefikudp-v2
namespace: kube-system
spec:
type: LoadBalancer
selector:
app: traefik-v2
ports:
- protocol: UDP
port: 9000
name: udpep
targetPort: 9000

使用Deployment类型部署,以便于在多服务器间扩展,使用 hostport 方式占用服务器 80、443 端口,方便流量进入。

# 部署 Traefik
# kubectl create -f traefik-deploy.yaml
deployment.apps/traefik-v2 created
service/traefik-v2 created
service/traefikudp-v2 created

到此 Traefik v2.3 应用已经部署完成。

这时候就可以通过节点http://IP:8090,可以看到dashboard相关信息

四、路由配置

1、配置 HTTP 路由规则 (Traefik Dashboard 为例)

Traefik 应用已经部署完成,但是想让外部访问 Kubernetes 内部服务,还需要配置路由规则,这里开启了 Traefik Dashboard 配置,所以首先配置 Traefik Dashboard 看板的路由规则,使外部能够访问 Traefik Dashboard。

创建 Traefik Dashboard 路由规则文件 traefik-dashboard-route.yaml

因为静态配置文件指定了ingressclass,所以这里的annotations 要指定,否则访问会404

# cat traefik-dashboard-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik-v2.3
spec:
entryPoints:
- web
routes:
- match: Host(`www.traefiktest.com`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
# 部署Traefik Dashboard 路由规则对象
# kubectl create -f traefik-dashboard-route.yaml
ingressroute.traefik.containo.us/traefik-dashboard created

客户端通过域名访问服务,必须要进行 DNS 解析,可以通过 DNS 服务器进行域名解析,也可以修改 hosts 文件将 Traefik 指定节点的 IP 和自定义 host 绑定

# cat hosts
192.168.2.163 www.traefiktest.com

打开任意浏览器输入地址:http://www.traefiktest.com进行访问,打开 Traefik Dashboard.

此处没有配置验证登录,如果想配置验证登录,使用middleware即可。

2、配置 HTTP 路由规则

Traefik 已经部署完成,但是想让外部访问 Kubernetes 内部服务,还需要配置路由规则,这里用whoami 举例。

# 首先创建whoami 的 deployment
# cat whoami.yaml
## 创建一个http应用
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
namespace: default
labels:
app: traefiklabs
name: whoami
spec:
replicas: 2
selector:
matchLabels:
app: traefiklabs
task: whoami
template:
metadata:
labels:
app: traefiklabs
task: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- containerPort: 80
---
## http应用的service
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: whoami
---
## 创建一个tcp应用
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoamitcp
namespace: default
labels:
app: traefiklabs
name: whoamitcp
spec:
replicas: 2
selector:
matchLabels:
app: traefiklabs
task: whoamitcp
template:
metadata:
labels:
app: traefiklabs
task: whoamitcp
spec:
containers:
- name: whoamitcp
image: traefik/whoamitcp
ports:
- containerPort: 8080
---
## tcp应用的service
apiVersion: v1
kind: Service
metadata:
name: whoamitcp
namespace: default
spec:
ports:
- protocol: TCP
port: 8080
selector:
app: traefiklabs
task: whoamitcp
---
## 创建一个ucp应用
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoamiudp
namespace: default
labels:
app: traefiklabs
name: whoamiudp
spec:
replicas: 2
selector:
matchLabels:
app: traefiklabs
task: whoamiudp
template:
metadata:
labels:
app: traefiklabs
task: whoamiudp
spec:
containers:
- name: whoamiudp
image: traefik/whoamiudp:latest
ports:
- containerPort: 8080
---
## ucp应用的service
apiVersion: v1
kind: Service
metadata:
name: whoamiudp
namespace: default
spec:
ports:
- port: 8080
selector:
app: traefiklabs
task: whoamiudp
# kubectl create -f whoami.yaml
deployment.apps/whoami created
service/whoami created
deployment.apps/whoamitcp created
service/whoamitcp created
deployment.apps/whoamiudp created
service/whoamiudp created
# 创建 whoami 路由规则文件 whoami-ingreoute.yaml
# cat whoami-ingreoute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: myingressroute
namespace: default
annotations:
kubernetes.io/ingress.class: traefik-v2.3
spec:
entryPoints:
- web # 跟ConfigMap中的保持一致
routes:
- match: Host(`whoami.foxchan.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: whoami
port: 80
# kubectl create -f whoami-ingreoute.yaml
ingressroute.traefik.containo.us/myingressroute created

主机hosts文件添加如下解析

192.168.2.163 whoami.foxchan.com

查看效果,可以看到是同一个浏览器访问的是同一个pod ,这个跟下面使用kuboard来创建traefik ingressroute,同一个浏览器不停刷新访问不同的pod





问题

1.通过上述使用yaml文件创建的traefik ingressroute,可以访问使用,通过kuboard界面上也能查看到,不过位置是在集群管理-自定义资源-traefik.containo.us中



2.yaml文件部署的traefik ingressroute,访问是的时候指定pod了,但是通过kuboard界面部署的traefik ingressroute,访问的时候pod 来回变换

使用建议

应用部署到service后就可以了,然后使用kuboard来创建traefik ingressroute,记得设置annotations

  annotations:
kubernetes.io/ingress.class: traefik-v2.3

3、配置 HTTPS 路由规则

用 HTTPS 来访问我们这个应用的话,就需要监听 websecure 这个入口点,也就是通过 443 端口来访问,同样用 HTTPS 访问应用必然就需要证书,用 openssl 来创建一个自签名的证书:

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=whoami.foxchan.com"
Generating a 2048 bit RSA private key
...................................+++
...........................................+++
writing new private key to 'tls.key'
----- # ll
-rw-r--r-- 1 root root 1119 7月 8 15:55 tls.crt
-rw-r--r-- 1 root root 1704 7月 8 15:55 tls.key

通过 Secret 对象来引用证书文件

# 要注意证书文件名称必须是 tls.crt 和 tls.key
# kubectl create secret tls who-tls --cert=tls.crt --key=tls.key
secret/who-tls created
# 另一种方式
kubectl create secret generic who-tls --from-file=tls.crt --from-file=tls.key -n default

创建一个 HTTPS 访问应用的 IngressRoute 对象:

# cat whoami-ingreoute-tls.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
annotations:
kubernetes.io/ingress.class: traefik-v2.3
spec:
entryPoints:
- websecure # 跟ConfigMap中的保持一致
routes:
- match: Host(`whoami.foxchan.com`)
kind: Rule
services:
- name: whoami
port: 80
tls:
secretName: who-tls
# kubectl create -f whoami-ingreoute-tls.yaml
ingressroute.traefik.containo.us/ingressroutetls created



使用建议

应用部署到service后就可以了,然后使用kuboard创建secret,然后来创建traefik ingressroute,记得设置annotations

  annotations:
kubernetes.io/ingress.class: traefik-v2.3

4、配置 TCP 路由规则

# cat whoami-tcp.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroutetcpwho
annotations:
kubernetes.io/ingress.class: traefik-v2.3
spec:
entryPoints:
- tcpep # 跟ConfigMap中的保持一致
routes:
- match: HostSNI(`*`)
services:
- name: whoamitcp
port: 8080

5、配置udp路由规则

# whoami-udp.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
name: ingressrouteudpwho
annotations:
kubernetes.io/ingress.class: traefik-v2.3
spec:
entryPoints:
- udpep # 跟ConfigMap中的保持一致
routes:
- services:
- name: whoamiudp
port: 8080

五、中间件

中间件是 Traefik2.0 中一个非常有特色的功能,可以根据自己的各种需求去选择不同的中间件来满足服务,Traefik 官方已经内置了许多不同功能的中间件,其中一些可以修改请求,头信息,一些负责重定向,一些添加身份验证等等,而且中间件还可以通过链式组合的方式来适用各种情况。

白名单举例

设置dashboard只能白名单的ip可以访问

# 创建白名单中间件
# cat middleware-ipwhitelist.yaml
# 然后将这个中间件附加到 dashboard的服务上面去
# cat traefik-dashboard-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik-v2.3
spec:
entryPoints:
- web
routes:
- match: Host(`whoami.foxchan.com`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares: #这里添加中间件的名字
- name: gs-ipwhitelist

这个时候我们再去访问dashboard,不在白名单的就会报403

六、路由配置(高级)

在开始traefik的高级用法之前,还需要了解一个TraefikService,通过把TraefikService注册到CRD来实现更复杂的请求设置。

TraefikService 目前能用于以下功能

  • servers load balancing.(负载均衡)
  • services Weighted Round Robin load balancing.(权重轮询)
  • services mirroring.(镜像)

1、负载均衡

# 创建k8s service
# cat svc-service.yaml
apiVersion: v1
kind: Service
metadata:
name: svc1
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: v1
---
apiVersion: v1
kind: Service
metadata:
name: svc2
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: v2
# 创建IngressRoute
# cat svc-service-ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutelb
namespace: default spec:
entryPoints:
- web
routes:
- match: Host(`whoami.foxchan.com`)
kind: Rule
services:
- name: svc1
namespace: default
- name: svc2
namespace: default

2、权重轮询

# 创建TraefikService
# cat wrr-service.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: wrr
namespace: default
spec:
weighted:
services:
- name: svc1
port: 80
weight: 3 # 定义权重
kind: Service # 可选,默认就是 Service
- name: svc2
port: 80
weight: 1
# 创建IngressRoute
# 需要注意的是现在我们配置的 Service 不再是直接的 Kubernetes 对象了,而是上面我们定义的 TraefikService 对象
# cat wrr-service-ingressout.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutewrr
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`who.foxchan.com`)
kind: Rule
services:
- name: wrr
namespace: default
kind: TraefikService

3、镜像

1.流量复制到k8s 的service

# Mirroring from a k8s Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: mirror-k8s
namespace: default
spec:
mirroring:
name: svc1 # 发送 100% 的请求到 K8S 的 Service "v1"
port: 80
mirrors:
- name: svc2 # 然后复制 20% 的请求到 v2
port: 80
percent: 20

2.流量从Traefik Service 导入

# Mirroring from a Traefik Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: mirror-ts
namespace: default
spec:
mirroring:
name: mirror-k8s #流量入口从TraefikService 来
kind: TraefikService
mirrors:
- name: svc2
port: 80
percent: 20

3.创建IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute-mirror
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`who.foxchan.com`)
kind: Rule
services:
- name: mirror-k8s
namespace: default
kind: TraefikService

yaml文件下载地址

https://files.cnblogs.com/files/sanduzxcvbnm/yaml文件.zip

traefik镜像版本升级

文档中使用的traefik镜像是traefik:v2.3,若是升级到traefik:v2.5,启动后则会报错如下:

E0708 17:33:27.478347    1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1alpha1.MiddlewareTCP: failed to list *v1alpha1.MiddlewareTCP: middlewaretcps.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "middlewaretcps" in API group "traefik.containo.us" at the cluster scope

v2.3启动后日志显示

v2.5启动后日志显示

看来若是升级的话,得改yaml文件中的内容才行

参考资料:

https://blog.51cto.com/foxhound/2545116?source=dra

https://www.cnblogs.com/heian99/p/14608414.html

https://blog.51cto.com/u_13760351/2764008

kubernetes1.20 部署 traefik2.3的更多相关文章

  1. linux mysql 5.7.20 部署脚本+备份脚本

    一.官网下载源码包 源码包:mysql-5.7.20-linux-glibc2.12-x86_64.tar.gz 检查环境,卸载老版本mysql 二.自动部署脚本 进入文件目录,执行脚本 #!/bin ...

  2. Kubernetes1.15 部署 coredns

    coredns.yaml文件如下所示 # __MACHINE_GENERATED_WARNING__ apiVersion: v1 kind: ServiceAccount metadata: nam ...

  3. tomcat-9.0.20部署后输出窗口乱码解决方案

    问题:启动tomcat的时候,窗口乱码,默认都是UTF-8的,但是控制台是GBK的,要保持一致 可以通过控制台查看本机的编码: : 936  代表  GB2312 解决办法:打开tomcat目录下的c ...

  4. Kubernetes集群搭建 ver1.20.5

    目录 部署方式 1. 基础环境准备 1.1 基础初始化 1.2 安装docker 2. 部署harbor及haproxy高可用反向代理 2.1 镜像加速配置 2.2 高可用master可配置 3. 初 ...

  5. k8s mysql 单点部署

    参考官网:https://kubernetes.io/docs/tasks/run-application/run-replicated-stateful-application/ 20-nproc. ...

  6. k8s入坑之路(4)kubenetes安装

    三种安装方法: 1.kubeadm 2.kubespray 3.二进制安装 kubespray安装kubernetes集群 优点: 1.kuberspray对比kubeadm更加简洁内部集成了kube ...

  7. client-go实战之一:准备工作

    欢迎访问我的GitHub https://github.com/zq2599/blog_demos 内容:所有原创文章分类汇总及配套源码,涉及Java.Docker.Kubernetes.DevOPS ...

  8. kubeasz部署高可用kubernetes1.17.2 并实现traefik2.1.2部署

    模板机操作 # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) # uname -a //内核升级到4.4.X以后, 关于如何 ...

  9. kubernetes学习与实践篇(二) kubernetes1.5 的安装和集群环境部署

    kubernetes 1.5 的安装和集群环境部署 文章转载自:http://www.cnblogs.com/tynia/p/k8s-cluster.html 简介: Docker:是一个开源的应用容 ...

随机推荐

  1. 深入解析Kubernetes admission webhooks

    BACKGROUND admission controllers的特点: 可定制性:准入功能可针对不同的场景进行调整. 可预防性:审计则是为了检测问题,而准入控制器可以预防问题发生 可扩展性:在kub ...

  2. Josephus问题(Ⅲ)

    题目描述 n个人排成一圈,按顺时针方向依次编号1,2,3-n.从编号为1的人开始顺时针"一二三...."报数,报到m的人退出圈子.这样不断循环下去,圈子里的人将不断减少.最终一定会 ...

  3. Solution -「二项式定理与组合恒等式」一些练习

    Task 1 \(\mathcal{Prob:}\) \((3x - 2y)^{18}\) 的展开式中, \(x^5y^{13}\) 的系数是什么?\(x^8y^9\) 的系数是什么? \(\math ...

  4. jdbc 10:jdbc事务

    jdbc连接mysql,涉及到的事务问题 package com.examples.jdbc.o10_jdbc事务; import java.sql.Connection; import java.s ...

  5. windows版本rabbitmq安装及日志level设置

    1.DirectX Repair 安装缺失的C++组件,不安装缺失的组件会造成第二部安装erl文件夹缺少bin文件夹2.安装otp_win64_23.1 1.配置 ERLANG_HOME:地址为Erl ...

  6. 在centos7.6上部署前后端分离项目Nginx反向代理vue.js2.6+Tornado5.1.1,使用supervisor统一管理服务

    原文转载自「刘悦的技术博客」https://v3u.cn/a_id_102 这一次使用vue.js+tornado的组合来部署前后端分离的web项目,vue.js不用说了,前端当红炸子鸡,泛用性非常广 ...

  7. 使用Python3.7+Tornado5.1配合七牛云存储api来异步切分上传文件

    原文转载自「刘悦的技术博客」https://v3u.cn/a_id_123 之前写了几篇关于FastDfs分布式存储的文章:python3.7.3操作FastDfs来进行文件操作,其实市面上关于云存储 ...

  8. 人理解迭代,神则体会递归,从电影艺术到Python代码实现神的逆向思维模式

    原文转载自「刘悦的技术博客」https://v3u.cn/a_id_186 "从来如此,便对么?",鲁迅先生在<狂人日记>中借狂人之口在月光下发出的质疑与呐喊,是的,从 ...

  9. 【AGC】增长服务1-远程配置示例

    ​ [AGC]增长服务1-远程配置示例 前言:上一次笔者给大家带来了AGC领域的性能管理服务的学习.这次我们再继续深化学习AGC的相关知识.在文章开始之前,再给读者简单介绍一下AGC,以免第一次来的读 ...

  10. 【原创】Magisk+Shamiko过APP ROOT检测

    本文所有教程及源码.软件仅为技术研究.不涉及计算机信息系统功能的删除.修改.增加.干扰,更不会影响计算机信息系统的正常运行.不得将代码用于非法用途,如侵立删! Magisk+Shamiko过APP R ...